General

  • Target

    SolaraExec.exe

  • Size

    720.4MB

  • Sample

    241212-247leszqew

  • MD5

    2637d1d89de4cc8e2ba1328c5c15a4f0

  • SHA1

    55556776243a82c64656252d09d05631b12a2f8c

  • SHA256

    7b2583e41b5bdf417f580405ff20649d9253fa1aeeac4236fa1d1173256704df

  • SHA512

    6a09fb7d2881c8e890f44b891440fd0f5b04aa3afae40edb9346e64c6d94601d8a3bdd98b566a3944ff44246682ef3ae7fd3835c52560969715ef7dde10a6fc2

  • SSDEEP

    98304:XwV5p0JL9Ob4G4VtHDT+JY1QFBkOhZa5cOWHlrcTLB:Xw8Ob4G4b+21QFBUFUlcHB

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Targets

    • Target

      SolaraExec.exe

    • Size

      720.4MB

    • MD5

      2637d1d89de4cc8e2ba1328c5c15a4f0

    • SHA1

      55556776243a82c64656252d09d05631b12a2f8c

    • SHA256

      7b2583e41b5bdf417f580405ff20649d9253fa1aeeac4236fa1d1173256704df

    • SHA512

      6a09fb7d2881c8e890f44b891440fd0f5b04aa3afae40edb9346e64c6d94601d8a3bdd98b566a3944ff44246682ef3ae7fd3835c52560969715ef7dde10a6fc2

    • SSDEEP

      98304:XwV5p0JL9Ob4G4VtHDT+JY1QFBkOhZa5cOWHlrcTLB:Xw8Ob4G4b+21QFBUFUlcHB

    • Meduza

      Meduza is a crypto wallet and info stealer written in C++.

    • Meduza Stealer payload

    • Meduza family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks